Do As We Say, Not As We Do: The Indictment of StealthGenie’s Hammad Akbar

Do you remember when your dad would expound upon you the dangers of smoking after his fifteenth cigarette that day? Even as a pimply-faced, hormonal teenager, the irony was not lost on you.

Now, well into adulthood, we are again being scolded by our overseers for doing exactly what they practice with regularity.

The owner of a mobile app called StealthGenie, a Pakistani man called Hammad Akbar, has been indicted in the U.S. state of Virginia by a grand jury for “conspiracy, sale of a surreptitious interception device and marketing of a surreptitious interception device” under the federal Wiretap Act.

In a statement regarding the indictment, U.S. Assistant Attorney General and Head of the Justice Department’s Criminal Division, Leslie R. Caldwell, said: “…The criminal division is committed to cracking down on those who seek to profit from technology designed and used to commit brazen invasions of individual privacy.”

Let’s take a quick look at this Wiretap Act. It’s actually quite straightforward.

According the Wiretap Act, it is illegal to “intentionally, or purposefully intercept, disclose or use the contents of any wire, oral or electronic communication through the use of a ‘device.’”

Sounds like a pretty good law, and I would say Mr. Akbar’s StealthGenie app certainly violates it. StealthGenie allows users to install the app on the phone of anyone they choose, allowing these other users to monitor almost everything that goes on with the device. They can track the phone’s location on a map, they can listen to phone calls in near-real time, they can read texts, emails and calendar entries, they can look over the contacts list and see the web browsing history—all without the device owner’s knowledge.

According to Akbar, it is most commonly used by people who suspect their significant others of infidelity.

Is it nefarious? Absolutely. Should it be allowed? That depends on your ideological viewpoint, I suppose. However, it does violate the law, and the law is the law. End of story.

The problem is, this indictment should set a precedent where any person or entity using a “surreptitious interception device” should likewise be prosecuted under the Wiretap Act. And that includes the government and its agents.

In the modern age, and thanks to such monumental documents like England’s Magna Carta and the U.S. Constitution, rule of law applies to everyone equally. In fact, such documents were often drafted less for the protection of the greater society from individual criminals and private criminal elements and more for the protection of the greater society from would-be tyrants and power-mongers. In other words, they protect the people from the government, not vice versa.

A striking example would be America’s much-debated 2^nd Amendment. “The right to bear arms” was not originally intended for the Ted Nugent’s of the world. It wasn’t so vigilantes and family men could protect their homes and properties from invaders—as important as that may be—or shoot a trophy deer. It was intended so the citizenry could stand up against the emergence and infringement of a tyrannical ruler. You see, tyranny was a big deal back then—and not surprisingly. The Enlightenment was a response to roughly six thousand years of tyrannical ruling elite classes: nobility, clergy, emperors and kings.

Unfortunately, it’s still relevant today. The only difference is that nobility doesn’t go by Duke and Earl anymore, but rather Senator and Representative. And the sprawling network of clergy keeping a watchful eye on the private behavior of the population doesn’t come in the form of robed priests and bishops. Today, they’re simply bureaucrats in an office building in Virginia with access to the largest, most technologically advanced surveillance apparatus in history. And just like always, the rules don’t apply to them.

But pay no attention to the man behind the curtain. Instead, prosecute entrepreneurs who only follow his example.

The only truly just thing to do at this point is to let the Hammad Akbar’s of the world go free or uphold rule of law and prosecute the spooks, bureaucrats and politicians whose “brazen invasions of individual privacy” make StealthGenie look like child’s play.

Want to Combat Domestic Surveillance? Let’s Change the Deal with Google

The people of the formerly free world have again been dragged into a war not of their own choosing. This time, the enemy is not a nation, or an ethnic group, or even an idea. We have become the enemy. We have become the subject of undue scrutiny, paranoia, distrust, imprisonment and violence.

It is often our habit, in cases of great injustice, to look to our leaders for solutions. We ask for statutory, constitutional or regulatory protections. We cast our eyes toward the politicians, asking for the power of government to support their people and validate the mandate we gave them as our elected representatives.

There is no hope for that now. The U.S. government, the British government, the Canadian government, the Australian government, the government of New Zealand and many more have become the perpetrators of this injustice against their own people. Furthermore, they possess vast resources, technology and knowledge. They have the capability to exploit any computer, break nearly any encryption and they have the coercive power to silence much dissent.

In instances such as these, the solutions must come from us. We have the numbers and the knowledge. Do we have the will?

There are only a few methods with which we can approach security when browsing the Internet. One is encryption, but that only works if both parties cooperate and are willing to maintain secrecy. So, it’s not really much of a solution.

Another is hiding in the crowd. Currently, Tor is the best option for this method, allowing users to bounce their Internet traffic off of numerous other Tor users’ computers before it ultimately rejoins the network. The last person in the chain is called an exit node operator. One must volunteer to become an exit node operator—and not many people do. In fact, Tor has begun offering to pay exit node operators because they don’t have enough for the system to really work very well. We’ll see if it works.

The problem is, exit node operators take on a lot of risk. When Internet users look at child pornography or use a stolen credit card to buy something, this illegal activity is connected to an IP address. When those Internet users do it through Tor, that IP address is going to be that of an exit node operator.

These guys have been blacklisted, raided, arrested, manhandled, etc. because, unfortunately, bad guys exist and Tor is a great place for them to hide. That’s why not too many people are lining up for the job of exit node operator and consequently, why Tor is quite slow and cumbersome. Tor data from thousands of users is funneled through a handful of exit node operators. Google’s home page is about a seven-second ordeal. Just imagine trying to watch a YouTube video, if Tor were able to protect your anonymity while doing so.

So, how can we avoid the problems inherent in Tor, maintain the Internet speeds we’ve all grown accustomed to, still keep the bad guys in the shadows and remain anonymous all at the same time? It’s a tall order, but it’s possible.

If we target a specific application, rather than attempting to anonymize all web activity, then we can have our privacy and our speed. Simply put, we change the deal with Google. Right now, the deal is that Google gives us the ability to find any information our hearts and souls desire, and in exchange we give Google our actual hearts and our actual souls.

That’s not a great deal, but let’s be honest. You can’t beat ’em. Google’s search capabilities are unmatched—they’ve constructed an absolute wonder of the digital world. Search results are lightning fast and incredibly thorough. Their maps capabilities would have Magellan green with envy. Who wants to settle for a second rate search experience?

The problem is, Google has betrayed us. Eric Schmidt, Google’s Executive Chariman brushed domestic surveillance aside recently, saying:

“There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgement on that, it’s the nature of our society.”

Those aren’t the words most of us want to hear from one of the higher-ups in our most widely-used companies. We want to see outrage, indignation and counteraction from Google, Microsoft, Facebook and all the rest of them. But they aren’t forthcoming.

What we need is a new way to use Google like people use Tor. If Google searches are bounced off of millions of user’s computers and everyone is potentially an exit node, we have our ability to hide in the crowd. We have plausible deniability when it comes to our search engine use.

Furthermore, Google already polices itself for illegal activity like kiddie porn and fraud. So, online criminals will have to continue lurking the depths of the Internet if they wish to continue their behavior.

Government spooks will still be able to see what goes on in our smartphones, hack our computers, read our email and, yes, find our search engine data. But that would be an incredibly expensive and drawn-out process—and at least we wouldn’t be handing out our search engine habits on a silver platter.

Such an endeavor, socially, must act like a movement. If no one is willing to be an exit node operator—as is the case with Tor—it won’t work. But with hundreds of millions of Google users, such a movement is entirely possible.

Here’s how it can work: A browser add-on joins you with other participants using similar techniques to those employed by the Bittorrent file sharing protocol to implement distributed trackers. The plugin would operate much like Tor as an exit node, only instead of allowing arbitrary TCP connections it would be strictly limited to performing search queries on Google.

Such a system would solve the incentive problem stunting Tor. Everyone would be an exit node by default. Nobody would be enabling credit card fraud because it would be impossible to buy anything through you. You would not be enabling child pornographers because Google tries to avoid hosting that type of content anyway. You would not be helping botnet operators hide their command and control systems from network operators and security researchers. You might proxy some unsavory searches, but the combination of all the queries your browser submits to Google would be so random that anything embarrassing or incriminating couldn’t be attributed to you with any certainty.

There would definitely be some security challenges to solve, but it would be easier and more productive to overcome those technical problems than trying to pay Tor exit node operators. After all, Bittorrent is doing just fine in spite of powerful adversaries who would love to see its demise. Just how much money would it take to anonymize 25% of global search traffic with Tor? Based on what we’ve seen so far, is it reasonable to believe Tor can really scale to the size necessary to achieve that?

If the spooks want our souls, let’s make them pay one hell of a high price. Let’s force them to turn Microsoft, Apple, and Samsung’s update services against us, because that’s extremely expensive both operationally and politically. Let’s force them to use their zero day exploits against our endpoints because while they still dominate that space at least we have the ability to bring technical countermeasures to the fight. Their advantage battling us as vulnerability researchers and exploit developers is based entirely on information asymmetry, and even as they win battles, they lose information advantage just by fighting us. Just as the surveillance state slowly crept up on us we will slowly erode its potency, and eventually we’ll snuff it out.

Cloud Storage Review: Box Enterprise

Initially I was a bit annoyed with Box because they refused to give me a free demo account, but luckily I thought I ought to get in touch with them one more time. This time I not only got a demo account, a Box sales rep spent over two hours giving me a full demo of all of Box’s functionality. And boy, does it ever have a lot of functionality.

Box has strong centralized control of accounts, permissions, and other policy settings.

Box has revision control. The number of revisions stored can be set globally. Explicit file locking is supported, and if it’s not used then the last write will just overwrite the previous write with no notice to users.

Of all the services I’ve reviewed, Box has the most flexible permission options. It supports the concept of object owners with full control, co-owners with full control except for the ability to mess with the permissions of the owner, editors with full read/write access, viewers with read only access, and viewer-uploaders with read only access plus the ability to create new files.

In addition to these privilege levels Box also has a permission called previewer. The previewer is interesting in that users with this privilege can preview files but aren’t allowed to save them. Obviously this can be circumvented, as anything I can view on my device I can make a copy of, however less skilled users will have a hard time doing so. Finally, there is the uploader, who can drop files in a folder but otherwise has no access.

Box logs absolutely everything, which is nice. You can see who did what and from what IP address. Even the account administrator can’t delete any log files.

Box has good platform support. You can access your files on Windows, Mac, iOS, and Android. There’s even separate applications to support tablet devices with larger screens. Unfortunately Linux is not supported, however Linux users are making use of WebDav to mount Box as a filesystem.

Making a local backup of your company’s data in Box is definitely doable. If mounting everything using the WebDav method and making a backup that way won’t work, there is an API available. I’m told that anything that can be done in the web interface can be done in the API, though I haven’t confirmed that for myself.

Overall I have to say Box is the most mature looking cloud solution I’ve seen so far, with the most features.

Cloud Storage Review: Oxygen Cloud

Oxygen Cloud allows you to easily make your own shared folders accessible via the internet. It allows you to blend your own storage devices with storage provided by Oxygen itself.

Management of accounts in Oxygen is centralized. Administrators can add new users by email inviting them. Existing user accounts can be disabled or deleted. Oxygen maps what it calls the “Data Grid” to the “O” drive on Windows. Presumably it uses some appropriate mount point on Mac OS X and other Unix like platforms. The local drive mapping/mount point is actually backed by local storage. Changes are then synchronized with the server. When a user is deleted the client software on that users device will delete the temporary storage backing the drive mapping. That’s great, because when a team member leaves the files disappear from his devices. Of course, the files could be recovered by low level technical means, and the user can copy files to another location that isn’t managed by Oxygen while he still has access to them, but it’s better than nothing. Oxygen also supports single sign on with Active Directory integration, however it’s not cheap.

Session timeouts can be managed as well.

Revision control is supported and deleted files can be recovered.

Permissions are straight forward with Oxygen: Read Only or Read/Write. Permissions are assigned to Oxygen “Spaces”, which are roughly equivalent to a shared folder in Windows.

In addition to read/write privileges, it’s possible to grant a user permissions to grant access to other users.

Oxygen has good platform support, including Windows, Mac, Linux, iOS and Android.

Making a local backup of the data in Oxygen managed spaces is straight forward. Just grant the user making the backups access to everything and back up the Oxygen drive to another filesystem.

Updated (August 2, 2012):

Further testing of revision control in Oxygen reveals that when conflicts occur the last save silently overwrites the prior save. As there is no notification, users will have no way of knowing when they clobbered another user’s changes. You can still restore clobbered versions of files in the web interface, and it will create a copy like this: Filename (Version X). This behavior is not as useful as how Dropbox automatically renames files.

Cloud Storage Review: Box

Box.com looks pretty good, but since they don’t provide a demo account unless I sign up with a credit card number that will be automatically billed I won’t be reviewing them. Too many companies ask for credit cards and promise you can cancel, only to make it extremely difficult to do so. There is no valid reason to use this billing model since box.com can shut off the account at any time. I’d rather pay $5 to have an account for a week than have to risk going through a cancellation process.

Information disclosure

A client recently asked me for help with a fingerprint scanner/timeclock for employees to punch in and punch out. It seems that when the device finds an AP with spaces or underscores in the name some undefined behavior occurs.

You’ll probably have to click on that image to see a full size version, but the name of the second access point is a bunch of hex digits. Before the NULLs the string is “20Pender”, which is the name of a nearby street. I’m surprised to see such a shoddy wireless implementation out there. If it can’t even do proper input validation on SSID strings imagine how many other bugs must exist. Luckily this has an Ethernet port because there’s no chance this could ever work in an environment with APs under third party control. (eg. Every office building and condo)

Cloud Storage Review: Office365/SharePoint

Microsoft offers a hosted SharePoint as part of Office 365. SharePoint is a bit different than the other two services I’ve discussed so far: It’s not just a file synchronization, it’s also a content management system and team collaboration tool.

SharePoint has two places where files can be attached: Site Pages and Document Libraries. I’ll focus on document libraries. For each document library you can choose if you want to enable revision control or not.

Office 365 features centralized administration of users and permissions for all of its products, including SharePoint. You are in fact on an Active Directory domain, which can be the same one all your office computers belong to.

Document Libraries support revision control with an explicit file locking mechanism. While this method ensures that accidental overwrites never occur, explicitly having to check out files and check them back in adds extra steps to users workflow. Another problems is that users will forget to release locks when they’re done with files requiring administrators to intervene.

Permissions are extremely flexible in SharePoint.

Office 365 will work in any web browser, and there appears to be support for iPhone and Android phones as well.

There is no obvious method of making a backup of all the files in the system. One great feature of Office 365 in general is that it’s possible to connect remotely with PowerShell and interact with the service programmatically. This area needs further investigation.

Forbes Privacy Advise

Forbes published an article on how to protect your privacy and I have a few comments on that.

1. Hushmail is garbage. They backdoored their own Java mail client once before at the request of the RCMP. I’m having a hard time finding articles about this because it’s so old. In my opinion Hushmail is total snake oil. You are a fool if you trust that service. You are actually better off just running your own mail server on a Truecrypt filesystem.

2. Truecrypt looks solid to me, but don’t think you can think of a password. You need to generate it. Here is an example of a password that will give you 128bit security:

“v1zi9N2kSIqKE8DlfNKbaGnlYZ”

If you want something that gives you 256 bit security you need something like this:

“pl8X1W7h3ANLPLSBjNgd5ruPnMTi9Dgzcu2qMjFAQHtotmRc3XpKOfO”

And you need to memorize that. If you think you can use passwords you can think up yourself you’re only fooling yourself. Picture football fields full of servers stuffed with CUDA cards that can try a lot of keys per second. Now imagine how much easier it will be to brute force your keys 5 years from now.

3. ZRTP is fantastic. Jitsi supports it and it’s free. It’ll work on a SIP or XMPP server, and if you  choose XMPP then you can use OTR for text chat. Make sure you verify SAS on a ZRTP enabled voice session, then use that session to confirm the key fingerprints for OTR, or else OTR is vulnerable to MITM attacks.

4. For chat sessions, unless you do the above or meet in person to verify key fingerprints, you’re getting no protection against MITM attacks.

5. You can’t make sure your VPN provider isn’t logging you. You just have to blindly trust them. It sucks, but that’s just how it is. You can use Tor, but it’s tough to put up with the lag. Latency is the price of anonymity.

Cloud Storage Review: SugarSync for Business

SugarSync offers multi-user business accounts. I contacted SugarSync by email for a demo account on Tuesday morning, and I was up and running by the afternoon. Not having used SugarSync before, my first impression was that the web interface isn’t as friendly as Dropbox. That said, friendliness of web interfaces isn’t in my criteria, so let’s begin with centralized user management.

SugarSync for Business accounts are managed by the account administrator. It’s possible to Add, remove, and disable users. In this respect it’s more suitable for companies than Dropbox for Teams.

Next up, revision control. SugarSync supports it, but for some reason limits it to the current version plus 5 previous revisions of each file.

Since old revisions are automatically deleted, it’s possible for users to destroy data. Another weakness of SugarSync’s revision control is that if users edit the same file simultaneously then whoever saved last will just overwrite the changes of the user who saved first. Users will not realize that they clobbered someone else change, and if they don’t notice within 5 subsequent edits it’s gone forever.

Permissions in handled in a very strange manner. They are a property of the shared folder, not the objects within it. Permissions cannot be assigned to users either.

There are only two options, Read Only and Add & Edit. When the share is set to Read Only, not only does the user lose write access, his folder can’t even be automatically synchronized! The only way to access files you don’t have write permission to is to use the web interface or the SugarSync File Manager program.

SugarSync supports Windows, Mac OS X, iOS, Android, and other less important mobile platforms. There is an Alpha client for Linux on Github, but it hasn’t been updated in 2 years and nobody seems happy with it. It’s impossible to reliably make a local backup of everything in SugarSync because regular users have to explicitly share their folders with administrators. You can take over a users account by disabling them, so I guess that is a workaround when you have to fire someone.

Overall SugarSync has good central control, but it would be better if administrators could just access any file like you can as a Windows domain administrator so that the admin can just synchronize everything to a machine the company physically controls. Platform support is pretty good. Permissions and revision control need improvement.

Next up, Office365 Sharepoint.

An ominous warning

I just bought a BYTECC Super Speed USB 3.0 SATA to USB adapter, to backup and consolidate data stored on a pile of disks.

Upon opening the box I’m warned that I better make backups of the files that I bought this device to make backups with!